deps: update openssl to quictls/openssl 3.0.0+quic
This pull request updates the OpenSSL version that is statically linked with Node.js from OpenSSl 1.1.1 to quictls OpenSSL 3.0.0+quic.
This pull request will replace the OpenSSL version that is currently in the deps
directory and when performing a normal build OpenSSL 3.0+quic will be statically linked to the Node.js executable. We will still be able to dynamically link to OpenSSL 1.1.1 and we have a CI job which dynamically links to OpenSSL 1.1.1 which is run for every pull request to make sure that we maintain backward compatibility.
The question is when does the community think that we should make this switch to OpenSSL 3.0+quic?
Building
$ ./configure && make -j8 test
...
[03:59|% 100|+ 3363|- 0]: Done
Verify that OpenSSL is statically linked
$ ldd ./node
linux-vdso.so.1 (0x00007ffff7fcf000)
libdl.so.2 => /usr/lib64/libdl.so.2 (0x00007ffff7f9d000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007ffff7da4000)
libm.so.6 => /usr/lib64/libm.so.6 (0x00007ffff7c5e000)
libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007ffff7c44000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007ffff7c22000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007ffff7a59000)
/lib64/ld-linux-x86-64.so.2 (0x00007ffff7fd1000)
$ ./node -p 'process.versions.openssl'
3.0.0+quic
Building with FIPS support
$ ./configure --openssl-is-fips && make -j8 test
...
[04:06|% 100|+ 3384|- 0]: Done
The above command will build and install the FIPS module into the out
directory.
This includes building fips.so
, running the installfips
command that generates the FIPS configuration file (fipsmodule.cnf
), copying and updating openssl.cnf
to include the correct path to fipsmodule.cnf
and finally uncomment the fips section.
We can then run node specifying --enable-fips
:
$ ./node --enable-fips -p 'crypto.getFips()'
1
The above will use the Node's default locations for OpenSSL 3.0:
$ ./out/Release/openssl-cli version -m -d
OPENSSLDIR: "/home/danielbevenius/work/nodejs/openssl/out/Release/obj.target/deps/openssl"
MODULESDIR: "/home/danielbevenius/work/nodejs/openssl/out/Release/obj.target/deps/openssl/lib/openssl-modules"
Hopefully having these defaults will enable for CI jobs to be configured without too much trouble, and also enable developers to configure FIPS for development/testing.